Jump to content

firmware 1.1 problem quickcreds


johnjohnsp1

Recommended Posts

Hello,

within the new upgraded firmware from 1.0 to latest 1.1 i have some problems with running payloads that need to "GET TARGET_IP".

i have downloaded  the latest payloads folder tree with git --> https://github.com/hak5/bashbunny-payloads/

this is the content of the get.sh file  inside the folder /payloads/library/extensions:

 

#!/bin/bash

function GET() {
    case $1 in
        "TARGET_IP")
            export TARGET_IP=$(cat /var/lib/dhcp/dhcpd.leases | grep ^lease | awk '{ print $2 }' | sort | uniq)
            ;;
        "TARGET_HOSTNAME")
            export TARGET_HOSTNAME=$(cat /var/lib/dhcp/dhcpd.leases | grep hostname | awk '{print $2 }' | sort | uniq | tail -n1 | sed "s/^[ \t]*//" | sed 's/\"//g' | sed 's/;//')
            ;;
        "HOST_IP")
            export HOST_IP=$(cat /etc/network/interfaces.d/usb0 | grep address | awk {'print $2'})
            ;;
        "SWITCH_POSITION")
            [[ "$(cat /sys/class/gpio_sw/PA8/data)" == "0" ]] && export SWITCH_POSITION="switch1" && return
            [[ "$(cat /sys/class/gpio_sw/PL4/data)" == "0" ]] && export SWITCH_POSITION="switch2" && return
            [[ "$(cat /sys/class/gpio_sw/PL3/data)" == "0" ]] && export SWITCH_POSITION="switch3" && return
            export SWITCH_POSITION="invalid"
            ;;
    esac
}

export -f GET

Opened with Notepad++ i have aso did the step: --> Edit --> EOL --> convert to UX format.

I remove the BB, switch1 then plugged in i still see the Purple led and right after keep getting red led continuosly.

inside the loot folder the result is noname.

may the GET TARGET_IP not working as intended or as the previous bunny_helpers.sh ?

Both responder and impacket are installed.

really have no idea why fail ... any help ? or any that get the same issue on new firmware 1.1 ?

 

thanks

Link to comment
Share on other sites

can you guys successfully connect to the BB through ssh with the ip 172.16.64.1? If so see if you can ping the IP given to the machine, usually mine is 172.16.64.10. It should show via ifconfig or ipconfig in the respective operating systems if the system is receiving an IP. An example payload of these in action is as follows.

Quote

# System default payload
LED R SLOW
ATTACKMODE RNDIS_ETHERNET
GET TARGET_HOSTNAME
GET TARGET_IP
cd /
if [ ! -d "temp" ]; then
   mkdir temp
fi
echo $TARGET_IP $TARGET_HOSTNAME > /temp/TestOutput

This should create a file at /temp/ named TestOutput. To access it log into the bunny and look for it

Quote

cat /temp/TestOutput

I don't have my bunny at the moment to test the code, but you should be able to see what the payloads see. If you cannot access the bunny, make sure that your computer can correctly see the bunny (ex drivers found)

Link to comment
Share on other sites

7 hours ago, Altecheon said:

can you guys successfully connect to the BB through ssh with the ip 172.16.64.1? If so see if you can ping the IP given to the machine, usually mine is 172.16.64.10. It should show via ifconfig or ipconfig in the respective operating systems if the system is receiving an IP. An example payload of these in action is as follows.

This should create a file at /temp/ named TestOutput. To access it log into the bunny and look for it

I don't have my bunny at the moment to test the code, but you should be able to see what the payloads see. If you cannot access the bunny, make sure that your computer can correctly see the bunny (ex drivers found)

Thanks for the answer, i was able to running the code you posted:

 

-confirm the LED R SLOW is ok

and here is the content of the TestOutput:

 

172.16.64.10 WS-ATIHD6870

 

so i think everything is completed fine without any errors.

I still dont understand why the Quickcreds hang on LED R SLOW and fail...

 

thanks anywways

Link to comment
Share on other sites

Ok, i found out what was the problem that made any attempt with Quickcreds fail !

inside the folder tree i had:

/tools/Responder instead of /tools/responder/ ,

and even if changing the payload.txt to point at /tools/Responder/ the code somehow was failing.

Decide then to rename /tools/Responder with /tools/responder without any modify of payload and voila ! the code was completed without any errors.

Thanks to Altecheon to let me run that test and let me think once more again on it

i dont know why even if modify the payload and point Responder  instead of responder wasnt working but at least now is working so it's all good !!

/cheers

Link to comment
Share on other sites

1 minute ago, mrpmcfc said:

I can ping the machine from the bunny but if I run your script  the TestOutput is empty 

If the script returns blank, make sure that the GET function is in the extension folder of the library folder. 

If it isn't there, then make sure to put the newest repository on the bunny. It should have the extension

Link to comment
Share on other sites

sorry 

can you explain how you installed manually ?

When i shh into it i can see them installed but when trying quickcreds i just end up with the machine name and empty folder.

Led flashes amber but never green

 

Thanks

Link to comment
Share on other sites

10 hours ago, valentino00776 said:

sorry 

can you explain how you installed manually ?

When i shh into it i can see them installed but when trying quickcreds i just end up with the machine name and empty folder.

Led flashes amber but never green

 

Thanks

If you can see them in tools when ssh in then you already have them, just be sure you've ran impacket's setup, from the tools/impacket/ location 

python ./setup.py install

also be sure your using the latest quickcreds and that the extensions folder is in the right place as a previous poster mentioned.. 

 

Link to comment
Share on other sites

  • 5 months later...

 

  • Hackling
  •  
  • DavidDoherty
  • Active Members
  •  
  • 9 posts

Hi Folks

I am having similar issues (still) with empty loot folders and internet connections, so I decided to do a bit of investigation on the back of the advice above to test the GET command.

I reset the bunny and applied the 1.3 firmware update and installed tools. All good so far. I then setup a payload to run as an ethernet cad, ie. ATTACKMODE RNDIS_ETHERNET on switch 1 .

I can now connect, on my windows 10 home laptop,  via ssh to the bunny on the usual IP address of 172.16.64.1. I cannot , though, ping anything, even though internet sharing is setup as per the wiki

When I look at the GET command I can see, for TARGET_IP and TARGET_HOSTNAME, it is querying the /var/lib/dhcp/dhcpd.leases file. When I look in here I don't get what I expected. The contents of this file is one line: server-duid "\000\001\000\001 \242\267\363Z\000\000ZZ\000";

Strangely enough, the contents of the /etc/network/interfaces.d/usb0 file looks good:

allow-hotplug usb0
auto usb0
iface usb0 inet static
         address 172.16.64.1
         netmask 255.255.255.0
         gateway 172.16.64.64
         dns-nameserver 8.8.8.8
         dns-nameserver 8.8.4.4

 

So my payloads will never work without the target IP or hostname.

Can anyone please point me to what I am getting wrong?

For reference, I have followed the wiki internet sharing instructions religiously. and my wifi interface is sharing with my bunny interface.

Regards
Link to comment
Share on other sites

Folks

 

Instead of doing what I normally do - posting here and hoping someone can save me, i decided to look into this myself. 24hours later, after lots of netstat commands and troubleshooting, I decided to start again with trying to get the bunny online.

Step1 - clear all old bunny interfaces from windows.

Step2  - realise how much of a muppet i have been after seeing 3 bunny related interfaces.

Step3 - delete all the NDIS interfaces

Step4 - Launch payload with NDIS_ETHERNET

Step5 - follow the connection sharing steps

Step6 - success

Step7 - See Step3 re muppet reference.

 

What a relief.

Hope that helps someone who cannot understand why their bunny cannot share a windows internet connection

regards

 

David

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...